2 Answers
2

You shouldn't do that, because once your single key is compromised for any reason (stolen laptop, trojan, employee leaving the company, etc.), you will need to give each user a new one, most likely resulting in more time spent than you saved initially by creating only one.

If you want to avoid the complexities of creating a CA and signing (and revoking) client certificates (although with the easy-rsa script it really isn't that hard), OpenVPN also supports static keys (generated with openvpn --genkey) that are very straightforward to handle (although they will also be used for encryption, instead of TLS).

+1 for this. Note also that the client key is an important part of the security of the link. I suspect that if all clients have the same private key, then given the complete ciphertext of one client's session, any other client can decrypt it.
–
MadHatterSep 8 '11 at 14:05

@MadHatter : Only is symmetric key are used I assume?
–
SandraSep 8 '11 at 16:57

1

Sorry, what? The private key and certificate form an asymmetric keypair, the latter being signed by some other entity (hence, certificate). Usually, these are used to negotiate a "nonce" session key, which is a symmetric key, yes. Is that what you meant?
–
MadHatterSep 8 '11 at 17:02

@MadHatter : Sorry about the nonsense I wrote =) But yes, that was what I meant to say =)
–
SandraSep 8 '11 at 18:12

First off, I agree with Ingmar Hupp, you don't want to be passing around one single key for a bunch of users. It's really not part of a good security strategy. Additionally, as he mentions, setting up a CA and signing/revoking keys using easy-rsa is quite easy, and IMO worth the additional "manpower" (if you will) to setup / maintain keys properly, instead of passing a single one around.